Confusing advice about secrets and Wrangler

From what I can tell, it does not make sense to put sensitive data in the TOML file because this would be committed.

CF acknowledges this by suggesting we use

.dev.vars

.dev.vars

for local, and secrets for production.

However, when adding secrets (via the dashboard), CF then says it "recommend[s] updating your wrangler.toml file to keep your local development environment in sync."

So this advice seems to be contradictory.

A related issue is that, as far as I know, local DB connection strings for Hyperdrives must be specified in TOML, not

.dev.vars

.dev.vars

(the latter didn't work for me). So this necessitates having two TOML files - one production, one local - the local one being denoted via the

--config

--config

param, because putting the connection string in the main TOML would mean committing DB credentials.

Am I right in all the above, or can anyone clarify anything I'm missing?

mackenzie•1/24/24, 2:13 PM

not sure how env works in local.... does it absorb the shell env where it was started?

You would have to define env vars locally to match the ones you define in the dashboard I guess (if you need them defined always)?

MMitya From what I can tell, it does not make sense to put sensitive data in the TOML f...

Chaika•1/24/24, 2:17 PM

However, when adding secrets (via the dashboard), CF then says it "recommend[s] updating your wrangler.toml file to keep your local development environment in sync."

Yea you don't need to do that for secrets. Are you clicking "Encrypt" when adding them? For me adding a new encrypted environment variable properly doesn't come up with that menu

Chaika•1/24/24, 2:18 PM

well if you have any non-encrypted env variables it does come up with that, but it excludes the encrypted ones

MityaOP•1/24/24, 2:34 PM

Thanks @Chaika . Mine are non-encrypted (they're sensitive, but I'm just testing things out right now so I didn't encrypt them.)

MMitya Thanks @Chaika . Mine are non-encrypted (they're sensitive, but I'm just testing...

Chaika•1/24/24, 2:35 PM

well that's not a secret then, that's just an environment variable

Chaika•1/24/24, 2:36 PM

Secrets are just encrypted environment variables (can also be added via )

Chaika•1/24/24, 2:37 PM

Normal Environment Variables are not encrypted and useful for storing generic app config stuff (which account id to use, which endpoint, etc)